February 3, 2010 at 9:29 pm
I'm a newbie who has setup SQL server 2008 Express on a Vista machine. I installed the express edition on under my adminstrator account, and set it to use windows authentication. Then, as a test, I created a limited account (aka a standard account on Vista) and tried to connect to the database engine and IT WORKED. I understand that being a limited account it's not supposed to.
I looked under settings for both, to see if I could find why this is happening. What I see is this:
When I login through my windows administrator account, under "Logins" I see BUILTIN/users instead of BUILTIN/Administrators. I do not know why this is. But I am speculating that because of this setting, I am able to login to the database engine even through the limited/standard account. Below BUILTIN/users I see MYPC/ADMINISTRATOR (i.e. mypc's name/my login name for windows).
Another piece of information: I don't think i am able to access everything through my limited account though. When I click on "Logins'' while connected through my limited account, I only see BUILTIN/USERS and sa underneath it. When I click on BUILTIN/USERS and then click on the "connection properties" it shows me "server unavailable" for all fields.
Can someone kindly inform me as to what is going on here? Is a limited/standard account on my PC able to access the SQL server? And from the text that I read (by Robin Dewson) I'm supposed to see BUILTIN/ADMINISTRATOR instead of BUILTIN/USER.
Sorry if my questions are lame, just starting out with sql 2008...this is my second day. If further clarification is needed, please inform.
TIA
February 3, 2010 at 9:40 pm
like2innovate (2/3/2010)
I'm a newbie who has setup SQL server 2008 Express on a Vista machine. I installed the express edition on under my adminstrator account, and set it to use windows authentication. Then, as a test, I created a limited account (aka a standard account on Vista) and tried to connect to the database engine and IT WORKED. I understand that being a limited account it's not supposed to.I looked under settings for both, to see if I could find why this is happening. What I see is this:
When I login through my windows administrator account, under "Logins" I see BUILTIN/users instead of BUILTIN/Administrators. I do not know why this is. But I am speculating that because of this setting, I am able to login to the database engine even through the limited/standard account. Below BUILTIN/users I see MYPC/ADMINISTRATOR (i.e. mypc's name/my login name for windows).
Another piece of information: I don't think i am able to access everything through my limited account though. When I click on "Logins'' while connected through my limited account, I only see BUILTIN/USERS and sa underneath it. When I click on BUILTIN/USERS and then click on the "connection properties" it shows me "server unavailable" for all fields.
Can someone kindly inform me as to what is going on here? Is a limited/standard account on my PC able to access the SQL server? And from the text that I read (by Robin Dewson) I'm supposed to see BUILTIN/ADMINISTRATOR instead of BUILTIN/USER.
Sorry if my questions are lame, just starting out with sql 2008...this is my second day. If further clarification is needed, please inform.
TIA
Unless you remove builtin\users, then your standard accounts will be able to login to SQL. When you login with your admin account you have elevated privileges. When you login using the \users account, you have limited administration ability.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
February 3, 2010 at 9:43 pm
So do I just delete it? And if so, what about the BUILTIN/ADMINISTRATORS, it's not there. Is it supposed to be? Or is my MYPC/ADMINISTRATOR (aka computername/login name) enough?
Sorry if my questions seem foolish.
February 3, 2010 at 10:55 pm
like2innovate (2/3/2010)
So do I just delete it? And if so, what about the BUILTIN/ADMINISTRATORS, it's not there. Is it supposed to be? Or is my MYPC/ADMINISTRATOR (aka computername/login name) enough?Sorry if my questions seem foolish.
the builtin\administrators group is not required as a login in SQL server. If you want a specific login to have certain access within SQL server you must manually add that login and grant the specific accesses you want. That must be done using a login that has adequate permission to grant permissions.
Here is a resource that may be of some help.
http://vyaskn.tripod.com/sql_server_security_best_practices.htm
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
February 4, 2010 at 4:16 pm
I think I also found an answer to this in the Microsoft documentation:
http://msdn.microsoft.com/en-us/library/bb326612.aspx
"In SQL Server Express, Windows users are granted connect permission because the BUILTIN\Users group is provided as a login."
I installed SQL Server Express via the web platform installation from the Microsoft site, and that might explain why the BUILTIN\USERS is there. If anybody has any thoughts on this, kindly comment.
February 4, 2010 at 5:31 pm
You're welcome.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply